True bills itself as the social networking app that will “protect your privacy.” But a security lapse left one of its servers exposed — and spilling private user data to the internet for anyone to find.
The app was launched in 2017 by Hello Mobile, a little-known virtual cell carrier that piggybacks off T-Mobile’s network. True’s website says it has raised $14 million in seed funding, and claimed more than half a million users shortly after its launch.
But a dashboard for one of the app’s databases was exposed to the internet without a password, allowing anyone to read, browse and search the database — including private user data.
Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the exposed dashboard and provided details to TechCrunch. Data provided by BinaryEdge, a search engine for exposed databases and devices, showed the dashboard was exposed since at least early September.
After we reached out, True pulled the dashboard offline.
Bret Cox, chief executive at True, confirmed the security lapse but did not answer our specific questions, including if the company planned to inform users of the security lapse or if it planned to disclose the incident to regulators under state data breach notification laws.
The dashboard contained daily server logs dating back to February, and included the user’s registered email address or phone number, the contents of private posts and messages between users, and the user’s last known geolocation, which could identify where a user was or had been. The dashboard also exposed the email and phone contacts uploaded by the user, which True uses to match with known friends in the app.
None of the data was encrypted.
TechCrunch confirmed the dashboard was returning real user data by creating a test account and asking Hussein to provide data that only we would know, such as the phone number used to register the account.
Hussein said that the dashboard was also leaking account access tokens, which could be used to hack into and hijack any user’s account. These account access tokens look like a line of random letters and numbers, but keep the user logged into the app without having to enter their login details every time. Using our test account, Hussein found our access token from the dashboard, and used it to access our account and post a message on our feed.
The dashboard also exposed one-time login codes, which True sends to an account’s associated email address or phone number instead of storing passwords.
True says deleting an account “will immediately remove all of your content from our servers,” but deleting our test account did not remove our private messages, posts and photos, and could still be searched from the dashboard.
“This is another example of how mistakes can happen at any organization, even those that are privacy-centric,” Hussein told TechCrunch. “It highlights the importance of not only building secure applications and websites, but also ensuring that proper data security measures are embedded within their internal procedures.”
A spokesperson for Hello Mobile could not be reached.
You can contact the author with tips securely using Signal and WhatsApp to: +1 646-755-8849.